| VID |
24043 |
| Severity |
40 |
| Port |
666 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Satan's BackDoor is detected.
Satan's BackDoor is a trojan horse program created Feb. 1999, which is written in Visual Basic 6.
This backdoor consists of SBD2 Client BETA.exe or Client.exe(Agent program) and winvmm32.exe(Server program). It uses 666 TCP port as default port, which can't be changed. mswinsck.ocx, msvbvm60.dll, Comdlg32.ocx are required to run the trojan. If the version 2.0beta is running, you can't find the autoload information. But if the version 1.0 is running, you can find the registry key named "sysprot Protection" that has a data value of C:\\windows\\sysprot.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices'.
With the Satan's BackDoor backdoor, a attacker can do the following :
- Display fake password dialog
- Display message box
- Get cached passwords
- Get clipboard text
- Get system information
- Get/Change date and time
- Message box bomb
- Notify server that they are infected
- Run program on server
- Send keystrokes to active window
- keylogging
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/reference/vuln/SatansBackdoor.htm
http://xforce.iss.net/xforce/xfdb/4149 |
| Recommendation |
Remove it from your computer :
* Version 2.0beta :
1. Reboot the computer or close winvmm32.exe.
2. Delete the trojan file winvmm32.exe.
* Version 1.0 :
1. Remove the 'sysprot Protection' key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices by using regedit or any other registry editing program.
2. Reboot the computer or close sysprot.exe.
3. Delete the trojan file sysprot.exe in the windows directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
